High severity8.8NVD Advisory· Published Sep 14, 2017· Updated May 13, 2026

CVE-2017-14482

Description

GNU Emacs before 25.3 allows remote attackers to execute arbitrary code via email with crafted "Content-Type: text/enriched" data containing an x-display XML element that specifies execution of shell commands, related to an unsafe text/enriched extension in lisp/textmodes/enriched.el, and unsafe Gnus support for enriched and richtext inline MIME objects in lisp/gnus/mm-view.el. In particular, an Emacs user can be instantly compromised by reading a crafted email message (or Usenet news article).

Affected products

GNU/Emacs
cpe:2.3:a:gnu:emacs:*:*:*:*:*:*:*:*
Range: <=25.2
Debian/Debian Linux
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.openwall.com/lists/oss-security/2017/09/11/1nvdMailing ListPatchThird Party Advisory
debbugs.gnu.org/cgi/bugreport.cginvdIssue TrackingMailing ListPatchVendor Advisory
git.savannah.gnu.org/cgit/emacs.git/commit/nvdIssue TrackingPatchThird Party Advisory
www.debian.org/security/2017/dsa-3970nvdThird Party Advisory
www.gnu.org/software/emacs/index.htmlnvdRelease NotesVendor Advisory
www.debian.org/security/2017/dsa-3975nvd
access.redhat.com/errata/RHSA-2017:2771nvd
security.gentoo.org/glsa/201801-07nvd

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.004
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000